17 November 2022

Supply chain attacks: what are they and how can you protect against them?

Supply ch attacks

Effective defence against supply chain attacks is a vital part in any organisation's cyber security armoury.

What are supply chain attacks?

Most organisations rely upon a supply chain to deliver products, systems and software critical to the day-to-day business operations. However, a large proportion of these organisations do not realise that this opens them up to crippling cyber-attacks.

By leveraging the weakest link within a supply chain an attacker opens up a wide array of potential targets with relative ease. With existing relationships in place between customers and suppliers, the attacker’s route is already laid out and ready for them to take advantage of.

The most basic supply chain attacks involve an email, supposedly from a supplier to a customer asking them to log into a portal. The impact on the customer may be small and go unnoticed, but this could just be the start of the attack. Another compromised account means the attacker can continue to build out their attack.

More complex supply chain attacks involve additional groundwork to allow an attacker to reap the rewards. Software-based supply chain attacks are leading the way on the scale of the reward, and this is one of the reasons we are seeing more and more of them. The number of software supply chain attacks reportedly tripled in 2021 against 2020.

Notorious supply chain attacks

In 2017 it was alleged that Kaspersky had been used by hackers working for the Russian government to steal classified materials belonging to a contractor working for the US Government’s intelligence agency, the National Security Agency (NSA). This led to many organisations rethinking their anti-virus provider and also to the US government banning the use of Kaspersky software in federal information systems.

As 2020 was drawing to a close, security professionals around the world found themselves working around the clock when it was reported that SolarWinds had been hacked. Suspected nation state hackers gain access to the systems and data of thousands of SolarWinds customers.

More recently Kaseya, who provide IT solutions to managed service providers (MSPs), was hit by a ransomware attack putting the customers of many MSPs at risk. Due to the way in which MSPs work with their customers they had permanent administrative level connections in many companies. This allowed the attack to push the ransomware via a malicious patch, paralysing over 1000 organisations.

The success of these attacks, and many similar instances, means it is almost certain that they will remain a common attack by both cyber criminals and nation state actors.

How to protect yourself, your organisation, and your supply chain

At the end of 2021, 59% of organisations who had suffered a supply chain attack reported they were not prepared and did not have a response strategy. While being able to respond to an attack is vital, preparation and prevention will go a long way to protecting against such an attack.

The four key stages of preparation and prevention are:

  1. Understand the risks: understand your suppliers and the wider supply chain and identify your most vulnerable and highest-risk resources or assets.
  2. Establish the controls: apply good cyber hygiene, consider password management, multifactor authentication, and software updates.
  3. Assess your arrangements: define your requirements from suppliers, this may vary on the risk they pose. Do not ask your suppliers to do something you are not already doing.
  4. Keep improving: help and advise your suppliers on key improvements and do not make your suppliers jump through hoops, if they have a sufficient security certification then they don’t need to answer 100s of questions.

Building trust in the supply chain

Unfortunately, a successful supply chain attack only needs one weak link, and as such it is imperative to build relationships between suppliers and customers. Help one another with problems, provide guidance and support where possible. Developing good communication throughout the supply chain is key, raising awareness of issues and incidents. Share knowledge and best practice. Supply chain attacks are increasing but vigilance and good communication can contribute to forming an effective layer of defence.

Hopefully, this article will be a catalyst in starting conversations and improvements in supply chain security. MHR can support your security needs. Have a look at iTrent Shield or feel free to get in touch to discuss your cyber security concerns.

Emma Doyle

Emma Doyley

Emma is the Information Security Manager at MHR, she has experience managing cyber security at international organisations in both the aerospace and financial services industry - protecting organisations against nation state attacks and running information security programmes to drive the continual improvement of information security.

Back to previous